In the Wireless Control System (WCS) 5.0 release, WCS enhanced the
Rogue Management functionality for different rogue AP types and provided
user-defined rules to automatically classify the rogue APs. WCS applied rogue
AP classification rules to the controllers. This document explains the enhanced
Rogue Management functionality and the steps necessary to configure this
functionality on the Wireless LAN Controller (WLC) and WCS.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and
Cisco 4400 Series WLC that runs firmware 5.2
Cisco Aironet 1130 AG Series Lightweight Access Points
Cisco Wireless Control System version
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
In WCS versions prior to release 5.0, WCS displayed too many rogue
access points (APs) in the Security Summary page. Even though
the rogue states differ, they all appear on one page, sorted by the BSSID/MAC
address of the rogue.
In the WCS 5.0 release, WCS enhanced Rogue Management functionality and
introduced new terminologies (Unclassified, Malicious, and Friendly) for
different rogue AP types and provided user-defined rules to automatically
classify the rogue APs. WCS applied rogue AP classification rules to the
WCS enhanced the rogue state management function to keep the rogue
state as External once the state of rogue has been
manually changed to External. WCS also updates the
External state for the other controllers when WCS pulls or
handles trap message from the other controllers.
In order to support this feature, both WLC and WCS should be running
With this new functionality, these new rogue AP types are
Malicious AP: A detected AP that matches
user-defined Malicious rules or has been manually moved from Friendly
Friendly AP: Existing known, Acknowledge, and Trust
Missing Rogue states are classified as Friendly. In addition, detected APs that
match user-defined Friendly rules are classified as Friendly. Friendly APs
cannot be contained.
Unclassified AP: A detected AP that did not match
the Malicious or Friendly rules. An Unclassified AP can be contained. An
Unclassified AP can be manually moved to Friendly by the user. User-defined
rules to automatically move Unclassified AP to Friendly or Malicious, for
example, on detection, the SSID is empty. On the next rogue report, a SSID is
found, and it turns out to be a user-configured
These are classification rules applicable to each of the rogue AP
The user can choose to match all, any, or
some of the rule conditions under each rule:
All means match all of the configured conditions for
Any means match any of the configured conditions for
Some means match few of the configured conditions
for the rule
For example, under Malicious Rules, the user
configures Managed SSID and Minimum
RSSI. Then, the user has the choice to match all or
any of the two conditions, or match just the Minimum
When the controller receives the rogue report, it does this:
Checks if the detected AP is in the user-configured MAC list. If so,
classify the AP as a Friendly type.
If the detected AP is not in the list, it starts to apply the
First, it applies Malicious Rules. If
Malicious Rules match, it is classified as the Malicious
type. If the RLDP/rogue detector determines that this rogue is on network, it
marks the rogue state as a Threat. The user can manually
contain the AP that changes the rogue state to Contained. If
the AP is not on the network, it marks the rogue state as
Alert, and the user can contain it manually.
If Malicious Rules do not match, apply
Friendly Rules. If Friendly Rules
match, then classify it as a Friendly type.
If Friendly Rules do not match, classify this AP
as Unclassified. If the RLDP/rogue detector determines that this rogue is on
the network, mark the rogue state as a Threat and classify it
as a Malicious type. The user can manually contain the AP that changes the
rogue state to Contained. If the AP is not on network, mark
the rogue state as Alert, and the user can contain it
The user can manually move the AP to a different classification
This table shows the different classifications of rogues and the rogue
states for each classification.
Rule-based Classification Type
Internal (Known currently)
External (Acknowledge currently)
Internal Missing (Trust Missing)
Pending — On first detection, the detected AP is
put in the pending state for 3 minutes. This time is sufficient for managed APs
to determine if the detected AP is a neighbor AP.
Alert — After the 3-minute time-out, the detected AP
is moved to Alert if it is not in the neighbor list or
user-configured Friendly MAC list.
Threat — The detected AP is found on the
Contained — The detected AP is
Contained Pending — The detected AP is marked
contained, but the containment action is delayed because of unavailable
Internal — The detected AP is inside the network,
and the user manually configures it as Friendly, Internal, for
example, the APs in a lab network.
External — The detected AP is outside the network,
and the user manually configures it as Friendly, External, for
example, the APs that belong to a neighboring network.
Trusted Missing — If the user-configured Friendly
MAC was detected and is not heard for trust-timeout duration, the rogue state
of the Friendly AP is marked as Trusted Missing.
Removed — If the Malicious or Unclassified AP is
not heard from all of the controllers for rogue-timeout duration, the rogue
state of the AP is marked as
In order to configure rogue rules on the Wireless LAN Controller,
complete these steps.
Rogue rules can be created from the WLC from the Security
> Wireless Protection Policies > Rogue Policies > Rogue Rules
In order to create a new rogue policy, click the Add
Rule button. The Rogue Rules window appears. Enter a
name for the rule. This example uses Rule1. Choose the type of rule. This is an
example of a Malicious rule. Click Add. Rule1 is created.
In order to edit this rule, click the rule that was created. The
Rogue Rule > Edit page appears. In this page, check the
Enable Rule check box to activate the rule. Choose the Match
Operation type and other conditions based on the requirement as in this
This is an example of the Friendly rogue rule policy.
The output of the rogue rules can be seen at Monitor >
Rogues > Malicious AP.
Similarly, the output of the Friendly Rules
and Unclassified Rules can be viewed at Monitor
> Rogues > Unclassified AP and Monitor > Rogues >
Friendly AP pages, respectively.
Rogue Rule List:WCS provides system level rogue rule
setting. In order to configure rogue rules on WCS, complete these
Choose Configure > Controller Template, and
then click Security > Rogue AP Rules to access the Rogue AP
Rules list page.
Click Add Classification Rule on the right top
drop-down menu to add a new classification rule.
Click the template name to edit the rogue rule. This rule detail
page enables you to edit, update the rogue AP rule, or delete the rule.
Rogue AP Rule Setting Parameters:On this page,
users can enable any condition when they check the check box to concatenate any
or all of these conditions:
This is an example of a Malicious rule:
This is an example of a Friendly rule:
The Rogue AP Rules page lists the all the rules created.
The next step is to configure a rule group and apply these rules to
the controllers. In order to this, use the Rogue AP Rule
Groups setting on the WCS.
In order to create a new rule group, choose Configure >
Controller Template, and then click Security > Rogue AP
Rule Groups from the WCS GUI.
The Rogue AP Rule Groups > New Template page enables you to add,
update the rogue AP rule group, delete the rule, and apply the rule group to
the controller. Use the Add/Remove buttons to choose the rogue AP rules for
this rule group. Use the Up/Down buttons to specify the order in which the
rules are applied. This is an example. Once the rules group is configured,
Once you save the rule group, it can be applied to controllers. In
order to apply the rule group to the controller, edit the rule group. Click the
rule group name.
Click Apply to Controllers. On the next page,
choose the controllers to which this rule is applied. This is an example.
Once the rules are applied to the controllers, you see a
Success message on the WCS.
Details about the classified APs can be viewed on the
Security Summary page. This is an
Details about the classified APs, specifically Malicious, Friendly,
and Unclassified APs, can be viewed when you click the appropriate
classification from the Security Summary page. This is an example for the